Chapter 8 Review Question

1. Why are information systems vulnerable to destruction, error, and abuse?

1.1 List and describe the most common threats against contemporary

information systems.

The most common threats against contemporary information systems include:

technical, organizational, and environmental factors compounded by poor

management decisions.

1. Technical: Unauthorized access, introducing errors

2. Corporate servers: Hacking, viruses and worms, theft and fraud, vandalism,

denial of service attacks

3. Communications: Tapping, sniffing, message alternation, theft and fraud,

radiation

4. Corporate systems: Theft of data, copying data, alteration of data, hardware

failure, and software failure. Power failures, floods, fires, or other natural

disasters can also disrupt computer systems.

5. Poor management decisions: Poorly designed safeguards that protect valuable

data from being lost, destroyed, or falling into the wrong hands.

1.2 Define malware and distinguish among a virus, a worm, and a Trojan

horse.

•Malware is any program or file that is harmful to a computer user.

Malware includes :computer viruses, worms, Trojan horses,

Malware spy-ware programs that gather information about a computer user without

permission.

1.Virus: A program or programming code that replicates itself by being copied or

2.Worm: A self-replicating virus that does not alter files but resides in active memory

and duplicates itself without human intervention.

3.Trojan horse.:A program in which malicious or harmful code is contained inside

apparently harmless programming or data.

1.3 Define a hacker and explain how hackers create security problems and

damage systems.

A hacker is an individual who gains unauthorized access to a computer system by

finding weaknesses in security protections used by Web sites and computer systems.

Hackers can threaten the security of computer systems and steal goods and

information, they damage systems and commit cybervandalism. They may

intentionally disrupt, deface, or even destroy a Web site or corporate information

system.

1.4 Define computer crime. Provide two examples of crime in which computers

are targets and two examples in which computers are used as instruments of

crime.

Computer crime is defined as the commission of illegal acts through the use of a

computer or against a computer system.

Example1. Intentionally accessing a protected computer and causing damage,

negligently or deliberately

Example2. Illegally accessing stored electronic communications, including e-mail and

voice mail

1.5 Define identity theft and phishing and explain why identity theft is such a
big problem today.

Identity theft is a crime in which an impostor obtains key pieces of personal

information, such as social security identification number, driver’s license number, or

credit card numbers.

Because of the Internet has made it easy for identity thieves to use

stolen information because goods can be purchased online without any personal

interaction.

1.6 Describe the security and system reliability problems created by employee.

The largest financial threats to businesses actually come from insiders, either through

theft and hacking or through lack of knowledge. Malicious intruders may sometimes

trick employees into revealing passwords and network access data through social

engineering. Employees can also introduce faulty data or improperly process data.

This is also known as administrative error. Administrative error is difficult to deal

with because it isn’t caught until too late, and the consequences may be disastrous.

Also, administrative error can occur at any level and through any operation or

procedure in the company. Not following security procedures in relation to receiving

external information, emails, internet use etc

1.7 Explain how software defects affect system reliability and security.

The software can fail to perform, perform erratically, or give erroneous

results because of undetected bugs. A control system that fails to perform

can mean medical equipment that fails or telephones that do not carry

messages or allow access to the Internet. A business system that fails

means customers are under- or over-billed. Or, it could mean that the
business orders more inventory than it needs. Or an automobile’s braking

system may fail.

2. What is the business value of security and control?

2.1 Explain how security and control provide value for businesses.

The business value of security and control:

1. Firms relying on computer systems for their core business functions can lose

sales and productivity.

2. Information assets, such as confidential employee records, trade secrets, or

business plans, lose much of their value if they are revealed to outsiders or if

they expose the firm to legal liability.

2.2 Describe the relationship between security and control and recent U.S.

government regulatory requirements and computer forensics.

Legal actions requiring electronic evidence and computer forensics also require

firms to pay more attention to security and electronic records management.

Computer forensics is the scientific collection, examination, authentication,

preservation, and analysis of data held on or retrieved from computer storage media

in such a way that the information can be used as evidence in the court of law.

Recent U.S. government regulatory requirements include:

1. Health Insurance Portability and Accountability Act (HIPAA)

2. Gramm-Leach-Bliley Act

3. Sarbanes-Oxley Act

3. What are the components of an organizational framework for security and control?

3.1 Define general controls and describe each type of general control.

General controls govern the design, security, and use of computer programs and
the security of data files in general throughout the organization’s information

technology infrastructure.

General controls include software controls, physical hardware controls, computer

operations controls, data security controls, controls over implementation of system

processes, and administrative controls.

3.2 Define application controls and describe each type of application control.

Application controls are specific controls unique to each computerized application.

They include both automated and manual procedures that ensure that only

authorized data are completely and accurately processed by that application.

Application controls can be classified as:

1. Input controls: Check data for accuracy and completeness when they enter the

system. There are specific input controls for input authorization, data

conversion, data editing, and error handling.

2. Processing controls: Establish that data are complete and accurate during

updating.

3. Output controls: Ensure that the results of computer processing are accurate, complete, and

properly distributed.

3.3 Describe the function of risk assessment and explain how it is conducted

for information systems.

A risk assessment determines the level of risk to the firm if a specific activity or process is not

properly controlled.

Two elements of a risk analysis that should be considered are:

(1) identifying the assets and

(2) identifying the threats.

3.4 Define and describe the following: Security policy, acceptable use
policy, and identity management.

A security policy consists of statements ranking information risks, identifying acceptable

security goals, and identifying the mechanisms for achieving these goals. The security

policy drives policies determining acceptable use of the firm’s information resources and

which members of the company have access to its information assets.

An acceptable use policy (AUP) defines acceptable uses of the firm’s information

resources and computing equipment, including desktop and laptop computers, wireless devices,

telephones, and the Internet. The policy should clarify company policy regarding privacy, user

responsibility, and personal use of company equipment and networks. A good AUP defines

unacceptable and acceptable actions for each user and specifies consequences for

noncompliance.Identity management consists of business processes and software tools for

identifying valid system users and controlling their access to system resources. It includes policies

for identifying and authorizing different categories of system users, specifying what systems or

portions of systems each user is allowed to access, and the processes and technologies for

authenticating users and protecting their identities.

3.5 Explain how MIS auditing promotes security and control.

Comprehensive and systematic MIS auditing organizations determine the effectiveness of security

and controls for their information systems. An MIS audit identifies all of the controls that govern

individual information systems and assesses their effectiveness. Control weaknesses and their

probability of occurrence will be noted. The results of the audit can be used as guidelines for

strengthening

controls, if required.

4. What are the most important tools and technologies for safeguarding information resources?
4.1 Name and describe three authentication methods.

Authentication refers to the ability to know that a person is who he or she claims to

be. Some methods are described below:

1. What you know: Passwords known only to the authorized users.

2. What you have:

• Token is a physical device that is designed to provide the identity of a single

user

• Smart card is a device that contains a chip formatted with access

permission and other data.

3. What you are: Biometrics is based on the measurement of a physical or

behavioral trait that makes each individual unique.

4.2 Describe the roles of firewalls, intrusion detection systems, and antivirus

software in promoting security.

A firewall is a combination of hardware and software that controls the flow of

incoming and outgoing network traffic. Firewalls prevent unauthorized users from

accessing internal networks. They protect internal systems by monitoring packets

for the wrong source or destination, or by offering a proxy server with no access to

the internal documents and systems, or by restricting the types of messages that

get through, for example, e-mail. Further, many authentication controls have been

added for Web pages as part of firewalls.

Intrusion detection systems monitor the most vulnerable points or “hot spots” in a

network to detect and deter unauthorized intruders. These systems often also

monitor events as they happen to look for security attacks in progress. Sometimes

they can be programmed to shut down a particularly sensitive part of a network if it

Antivirus software is designed to check computer systems and drives for the

presence of computer viruses and worms and often eliminates the malicious

software, whereas antispyware software combats intrusive and harmful spyware

programs. Often the software can eliminate the virus from the infected area. To be

effective, antivirus software must be continually updated.

4.3 Explain how encryption protects information.

Encryption, the coding and scrambling of messages, is a widely used

technology for securing electronic transmissions over the Internet and

over Wi-Fi networks. Encryption offers protection by keeping

messages or packets hidden from the view of unauthorized readers.

Encryption is crucial for ensuring the success of electronic commerce

between the organization and its customers and between the

organization and its vendors.

4.4 Describe the role of encryption and digital certificates in a public key

infrastructure.

Digital certificates combined with public key encryption provide further

protection of electronic transactions by authenticating a user’s identify.

Digital certificates are data fields used to establish the identity of the

sender and to provide the receiver with the means to encode a reply.

They use a trusted third party known as a certificate authority to

validate a user’s identity. Both digital signatures and digital certificates

play a role in authentication. Authentication refers to the ability of each

party to know that the other parties are who they claim to be.
4.5 Distinguish between fault-tolerant and high-availability computing,

and between disaster recovery planning and business continuity Planning. Fault-

tolerant computer systems contain redundant hardware, software, and power supply

components that can back the system up and keep it running to prevent system failure.

Some systems simply cannot be allowed to stop, such as stock market systems or

some systems in hospitals. Fault-tolerant computers contain extra memory chips,

processors, and disk storage devices to backup a system and keep it running. They

also can use special software routings or self-checking logic built into their circuitry

to detect hardware failures and automatically switch to a backup device. High-

availability computing, though also designed to maximize application and system

availability, helps firms recover quickly from a crash. Fault tolerance promises

continuous availability and the elimination of recovery time altogether. High-

availability computing environments are a minimum requirement for firms with heavy

electronic commerce processing requirements or for firms that depend on digital

networks for their internal operations. Disaster recovery planning devises plans for the

restoration of computing and communications services after they have been disrupted

by an event such as an earthquake, flood, or terrorist attack. Disaster recovery plans

focus primarily on the technical issues involved in keeping systems up and running,

such as which files to back up and the maintenance of backup computer systems or

disaster recovery services. Business continuity planning focuses on how the company

can restore business operations after a disaster strikes. The business continuity plan

identifies critical business processes and determines action plans for handling
mission-critical functions if systems go down.

4.6 Identify and describe the security problems posed by cloud

computing.

Accountability and responsibility for protection of sensitive data reside

with the company owning that data even though it’s stored offsite. The

company needs to make sure its data are protected at a level that

meets corporate requirements. The company should stipulate to the

cloud provider how its data is stored and processed in specific

jurisdictions according to the privacy rules of those jurisdictions. The

company needs to verify with the cloud provider how its corporate data

is segregated from data belonging to other companies and ask for proof

that encryption mechanisms are sound. The company needs to verify

how the cloud provider will respond if a disaster strikes. Will the cloud

provider be able to completely restore the company’s data and how

long will that take? Will the cloud provider submit to external audits and

security certifications?

4.7 Describe measures for improving software quality and reliability.

Using software metrics and rigorous software testing are two measure for improving

software quality and reliability.

Software metrics are objective assessments of the system in the form of quantified

measurements. Metrics allow an information systems department and end users to

jointly

measure the performance of a system and identify problems as they occur. Metrics

must be carefully designed, formal, objective, and used consistently.

1. Number of transactions that can be processed in a specified unit of time

2. Online response time

3. Number of known bugs per hundred lines of program code

Testing can be accomplished through the use of:

1. Walkthroughs: A review of a specification or design document by a small group of

people

2. Coding walkthroughs: Once developers start writing software, these can be used to

review program code.

3. Debugging: When errors are discovered, the source is found and eliminated